Get documents about "Liberty Alliance Project Open Standards for Network Identity Will
Document Sample
Liberty Alliance Project
Open Standards for Network Identity
Will open standards increase eCommerce?
Bill Smith
Director, Liberty Alliance Technology
Sun Microsystems
Permissions
The author has graciously given permission to
reproduce his presentation at the XML 2002
Conference in Baltimore, Maryland. If copied,
changes should not be made and appropriate
citation of the author’s work should be given.
Instructional media + magic, inc., December 2002
1
Identity
Physical
Height, Weight, Gender
Experiential
Education, Travel, Dining
Preferential
Food, Clothing, Shelter
1 1
Identity
Physical
Height, Weight, Gender
Blood Type, Fingerprint, DNA
Experiential
Education, Travel, Dining
Stock Purchases, Mortgage Balance, Drug Use
Preferential
Food, Clothing, Shelter
Religion, Political affiliation, Club Memberships
1 1
Identity
Some information needed to determine who
I am is widely available – I distribute it
A larger set of information is unavailable – I
restrict access to trusted relationships
Most of this information is in digital form
1 1
Identity
Control who has access to what information
Choose who to trust, what to give, when to
change
Trust relationships take time to establish
1 1
Digital Identity
Much of the information about me is in
digital form, accessible via the Web
It is kept by “trusted brokers”
High-quality services are provided
I can access and update
1 1
Digital Identity
Much of the information about me is in
digital form, accessible via the Web
It is kept by “trusted brokers”
High-quality services are provided
I can access and update
What's the problem?...
1 1
Digital Islands
I have multiple Digital IDs
Information is duplicated and difficult
to synchronize
Better services are possible
1 1
Digital Islands
• User Name: Bill Smith
Multiple, disconnected • Email: bsmith48@freemail.com
PIN: wcs@foobar.com
identities scattered •
across isolated Internet • Credit card number
sites • Social security number
• Drivers license
• Passport
• Entertainment preferences
• Notification preferences
• Employee authorization
• Business calendar
• Dining preferences
• Education history
• Medical history
• Financial assets…
1 1
Digital Islands – the problem
• Inconvenient and
frustrating
Multiple, disconnected for users
identities scattered
across isolated Internet • Distributed identity-
sites services are difficult to
develop and deploy
• Continual re-
authentication to
disparate systems
1 1
Network Identity – the solution
A method to link the Digital Islands
Provide a logical single identity
Preserve and enhance existing trust
relationships
Provide choice and opportunity for better
services
1 1
Network Identity – it’s simple
A Network Identity is
a user’s overall global
set
of attributes constituted from
their various accounts
1 1
Network Identity – not so fast
Digital Islands
Disparate Systems
Lack of communication, interoperability
Conflicting Interests
Technology suppliers, Technology consumers
Service providers, fixed vs. mobile
Consumer Demands
Better services, Improved convenience
Respect Privacy
1 1
Network Identity – practical solutions
Broad scope
Web itself
Fixed, wireless, desktop, cell phone, PDA, car ...
Complexity
Technology, Business, Consumer
Service providers
Reality
Digital Islands exist
Trust relationships well-established
1 1
A Business Consortium
Solving A Business Problem
Over 130 for-profit, not-for-profit and government organizations,
representing a billion customers, are currently Alliance members
* Only a sample of Liberty members
1
Liberty’s commercial investment in
network identity and the collaboration of
its diverse array of member companies
can bring a lot to this space. The group’s
combined experience, their collective
ability to drive usage and the fact that
they’re not trying to promote a product
but a solution to a problem will help in
their success.
Dan Blum
Burton Group
1
Mission of the Liberty Alliance
Establish an open standard for federated
network identity through open technical
specifications that will:
• Support a broad range of identity-based products
and services
• Allow for consumer choice of identity provider(s) and the
ability to link accounts through account federation
• Provide the convenience of simplified sign-on, when
using any network of connected services and devices
• Enable organizations to realize new revenue and cost
saving opportunities
• Allow organizations to economically leverage
relationships with customers, business partners,
and employees
• Improve ease of use for e-commerce
1 1
Management Structure
Management Board
• Consists of 16 founding sponsors
• Responsible for overall governance and maintenance
• Final voting authority for specifications and other output
Public Policy Technology Marketing
Expert Group Expert Group Expert Group
• Advise on privacy, • Develops technical • Develops marketing
security, and other architecture and requirements and use
public policy issues engineering cases
• Liaison to privacy requirements • Responsible for
groups and government • Develops technical membership, press
agencies specifications relations, and marketing
• Interoperability communications
• Adoption
1
Why is Federated Important?
Centralized Model Open Federated Model
• Network identity and user • Network identity and user
information in single repository information in various locations
• Centralized control • No centralized control
• Single point of failure • No single point of failure
• Links similar systems • Links similar and disparate systems
Provider
Central Provider Provider
Provider
Provider
Provider
Provider
1
Solution Analogous
to ATM Networks
Separate Cards with Linked Cards within Seamless Access
Each Bank Bank Networks Across all Networks
Bank ATM
Bank A
Network A Bank A
ATM Card
ATM Card
Bank ATM
Network B
Bank ATM
Bank B Bank ATM Network A
Bank B
ATM Card Network B
ATM Card
Bank ATM
Network C
Bank C Bank ATM Bank C
ATM Card Network C ATM Card
1
Solution Analogous
to ATM Networks
Separate Cards with Linked Cards within Seamless Access
Each Bank Bank Networks Across all Networks
Bank ATM
Bank A
Network A Bank A
ATM Card
ATM Card
Bank ATM
Network B
Bank ATM
Bank B Bank ATM Network A
Bank B
ATM Card Network B
ATM Card
Bank ATM
Network C
Bank C Bank ATM Bank C
ATM Card Network C ATM Card
Individual Accounts with Federated Accounts Linkage of Trust
Many Web Sites within Trust Domain Domains
.com .com
.com .com .com .com .com
.com .com .com .com .com
.com
.com .com
.com
.com .com .com .com
.com .com
.com .com .com .com .com
1
Examples of Trust Domains
B2C – Travel Industry B2E – Employee
Intranet 3d Party
401k
Providers
Car
Hotel
Rental
Employee
Company
Partner Purchase
Airline Intranet
Airlines Plans
Cruise Health Dental
Livery Insurance
Line Insurance
B2B – Financial Services B2B - Automotive
Treasury Debt
Suppliers Dealers
Commercial
Equity Transport
Banking Manufacturers
Agencies
Clearing
Credit
House Fleet Financing
1
Specifications: A Phased Approach
Approach Drivers
• Support rapid acceptance and deployment
• Phases build on each other
• Enable incremental adoption
Version 1.0 (Released 15 July 2002) Future Versions
• Federated network identity • Permissions-based attribute sharing
• Opt-in account linking and simplified • Schema/protocols for core identity
sign-on within an authentication domain profile service
created by business agreements • Simplified sign-on across authentication
• Security built across all the features and domains created in version 1.0 by
specifications business agreements
• Delegation of authority to federate
identities/accounts
1
Version 1.0 Specifications
Builds on top of SAML to provide additional privacy and functionality
Opt-in account linking – Users can link their accounts with different service providers
within “circles of trust”
Enhanced single sign-on for linked accounts – Once users’ accounts are federated,
they log-in, authenticate at one linked account and navigate to another linked account,
without having to log-in again
Authentication context – Companies linking accounts communicate the type of
authentication that should be used when the user logs-in
Global log-out – Users can be automatically logged-out of all sites to which they have
active sessions
Multiple Client Support – browser, mobile device, and proxy
1
SAML in a Nutshell
An XML-based framework for exchanging security information
1. XML schema and definition for security assertions
2. XML schema and definition for a request/response protocol
3. Rules on using assertions with standard transport and
messaging frameworks (SOAP, Web Browsers). Bindings and
Profiles
An OASIS standard
– Vendors and users are both involved
– Codifies current system outputs rather than inventing new
technology
Excellent traction in the marketplace
1
Liberty Federation/
Account Linking
Pre-existing accounts at various sites can be linked
Pets.com
Service Provider
JoeSmith
Excite.com
Identity Provider
Joe123
Books.com
Service Provider
Joe
1
Liberty Federation/
Account Linking
Upon linking those accounts, the sites need to be
able to have a frame of reference for the user
Pets.com
Service Provider
JoeSmith
Excite.com
Identity Provider
Joe123
Books.com
Service Provider
Joe
1
Liberty Federation/
Account Linking
If account names are exchanged, sites can talk to
each other without the user’s approval
Pets.com
Service Provider
JoeSmith
Excite.com Joe123@excite.com
Identity Provider
Joe123
JoeSmith@pets.com
Joe@books.com Books.com
Service Provider
Joe
Joe123@excite.com
1
Liberty Federation/
Account Linking
If account names are exchanged, sites can talk to
each other without the user’s approval
Pets.com
Service Provider
JoeSmith
Excite.com Joe123@excite.com
Identity Provider
Joe123
JoeSmith@pets.com
Joe@books.com Books.com
Service Provider
Joe
Joe123@excite.com
1
Liberty Federation/
Account Linking
Instead, unique opaque handles resolvable only by
the issuer should be exchanged
Pets.com
Service Provider
JoeSmith
Excite.com <alias="dTvIiRcMlpCqV6xX"
SecurityDomain="excite.com"
Identity Provider Name="mr3tTJ340ImN2ED" />
Joe123
<alias="mr3tTJ340ImN2ED"
SecurityDomain=“Pets.com" Books.com
Name="dTvIiRcMlpCqV6xX" />
<alias=“xyrVdS+xg0/pzSgx"
Service Provider
SecurityDomain=“Books.com" Joe
Name="pfk9uzUN9JcWmk4RF" />
<alias="pfk9uzUN9JcWmk4RF"
SecurityDomain="excite.com"
Name="xyrVdS+xg0/pzSgx" />
1
Liberty – Enhanced SSO
Extends an authentication assertion to include the
“context”
• How did the user log in? Password? Smartcard? Etc.
• When should the user be re-authenticated?
• How did account registration occur? (in person, via web page)
Extends the authentication request to allow for
requesting a strength of authentication
Necessary for real-world scenarios: not all services
require the same level of authentication.
1
Liberty – Additional Features
Simple session management
• Provides “single-logout” functionality
Identity federation management
• Ability to terminate the federation
• Ability to modify the opaque handle shared between
authentication authority and relying party
Identity network support
• Specifies a protocol by which a website can “discover” what
Identity Provider a user is using
1
Liberty Enabled-Products
Coming Soon!
1
Liberty Version 2.0
Permissions-Based Attribute Sharing
• Enable businesses to share a principal's attributes according to their
corporate policies, business agreements and local regulations, all while
adhering to the principal's preferences and permissions
Interoperability Specs for Core Identity Profile Service
• Enables users to obtain secure, personalized services that are
interoperable across different service providers
Federation of Authentication Domains
• Enables users to conveniently navigate and use SSO and share attributes
with service providers who may be in different authentication domains.
Version 2.0 specifications expected early 2003
1
Liberty – the Initiative
Established to address real business
and technology issues
Recognized as the focal point for Network
Identity discussions and solutions
Produced well-received specification
Proceeding with phased approach to deliver
on vision and mission
1 1
